When exercise tracking company Strava published a global heat map visualizing where people run and cycle throughout the world, the map inadvertently revealed sensitive U.S. military data not meant for public dissemination. Because a percentage of Strava’s users are military personnel exercising with Fitbits or other fitness trackers, the heat map also revealed the locations of active U.S. military bases in war zones.
In total, the heat map shows roughly one billion activities from Strava’s 27 million global users between 2015 and 2017. Areas such as London and Amsterdam (where the app is most used) glow yellow and white, while low-activity areas are shrouded in darkness. Combat areas and remote desert locations are predictably dark, except for illuminated paths inside the walls of known and classified military bases. Users on Twitter and Reddit have already identified military installations and routine patrol routes in Syria, Ukraine, Afghanistan, Yemen, Somalia, and more.
The danger of this information’s availability online is heightened by Strava’s “segments” feature, which gives anyone with an internet connection the ability to de-anonymize data and personally identify individual soldiers. Segments are small geographic areas where users can compete with their neighbors for the best performance and compare their stats to a public leaderboard. According to Wired, anyone can create a segment via Strava, meaning anyone can see the names and times of individual Strava users in certain regions, such as those exercising at classified outposts. The Guardian, for example, was able to identify 50 service members stationed outside an airfield in Afghanistan. This could give nefarious actors the opportunity to glean patterns of life from individuals stationed at military bases—information that could be transformed into actionable intelligence against U.S. soldiers and operations.
Strava does offer users the ability to turn off data collection, but some users report being unaware of this option or confused by the steps required to deactivate location sharing. Strava CEO James Quarles addressed the controversy in an open letter: “We are committed to working with military and government officials to address potentially sensitive data. Our engineering and user-experience teams are simplifying our privacy and safety features to ensure you know how to control your own data.”
While this security oversight has garnered more press coverage than most, it is not an isolated incident. As location-based services continue to proliferate, companies will release that data for one purpose without considering security implications elsewhere, or the legal and regulatory changes that will follow. According to Kevin Pomfret, a former satellite imagery analyst and member of the Department of the Interior’s National Geospatial Advisory Committee, security lapses like this are a natural consequence of diverse businesses (like Uber and others) collecting and sharing global location data.
“I’m not sure [Strava] should be held at fault,” Pomfret said. “We’re just in this evolving nature of laws and policies that we’re trying to come to grips with. In the geospatial community, people understand these sensitivities, but all these other companies collecting and using [location] information don’t have insight into those issues.”
NPR reports the Pentagon is reviewing its GPS and wearable electronics policy to determine whether further training or guidance for service members is necessary and if smart device protocol at sensitive locations should be amended.
Photo Credit: Strava